Data Loss Prevention (DLP) , Next-Generation Technologies & Secure Development
Ransomware Gangs Take 'Customer Service' Approach
Researcher Negotiates Reduced Bitcoin Payments, Extended Ransom DeadlinesRansomware is so lucrative that cybercriminals have started creating "customer contact centers" to manage victims' related queries in hopes of maximizing their illicit profits.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
The criminal gangs are open to negotiation, offering discounts on ransoms to those who make a polite request, according to a new report from Finnish security firm F-Secure.
The company prepared the report by having a "non-technically oriented person" pretend to be a ransomware victim and document their experience of interacting with ransomware gangs' money collectors.
To focus the research, F-Secure says it studied active samples of malware for which there was also a working command-and-control infrastructure, coming up with a short list featuring Cerber, Cryptomix, Jigsaw, Shade and Torrent Locker, a.k.a. Teerac.
Initial ransom demands/deadlines for 5 ransomware families studied by @FSecure pic.twitter.com/pXCWTorf6E
— Mathew J Schwartz (@euroinfosec) July 28, 2016
The security firm then had the "victim" contact the customer support teams for one variant of each ransomware family. That individual pretended to be a 40-something married PC user named "Christine Walters" who sported very limited technical knowledge and a Hotmail account created in her (fake) name.
3 Ransomware Customer Service Takeaways
Here are a few takeaways, via the related report, from Christine's interactions:
- Bitcoins: Gangs only accepted payment in bitcoins, with no exceptions, and some - but not all - would help victims find a bitcoin vendor for making payments.
- Extensions: Despite threatening to hike the ransom demand if payment wasn't received within a specified time frame, every contacted gang granted extensions upon request.
- Discounts: Upon victims' request, ransomware gangs reduced the value of their ransom demand by an average of 29 percent.
To be clear, F-Secure says that it never followed through on payments, meaning that it neither funded criminals, nor verified if they would receive a working decryption key in exchange for bitcoins (see Please Don't Pay Ransoms, FBI Urges).
Discounts to Hand
Just by asking, however, Christine was able to knock the ransom asking price down for Cryptomix by 67 percent, for Jigsaw by 17 percent and for Shade by 30 percent, while the Cerber gang held firm, allowing no discount.
F-Secure says it wasn't able to make contact with representatives for the fifth ransomware family it studied - Shade.
On a related note, the High-Tech Crime Unit of the Dutch Police Services Agency, EU law enforcement intelligence agency Europol, as well as security firms Kaspersky Lab and Intel Security have announced they recently disrupted the malicious infrastructure powering Shade (see Ransom Smackdown: Group Promises Decryption Tools).
Claim: Targeted Attacks Were Commissioned
During her exchanges with ransomware gangs' customer support personnel, Christine didn't hesitate to pepper agents with questions. In one exchange with the team behind horror-movie-themed Jigsaw ransomware, for example, the agent reportedly expressed confusion as to how Christine's PC had been infected, saying that the attacks had been designed not to infect consumers at random, but rather to target a particular business (see Ransomware Grows More Targeted).
The agent claimed that the targeted attacks had been commissioned by a large business. "In follow-up questions, he explained that his service had been hired by a Fortune 500 corporation to disrupt day-to-day business of their competition, so the client could be the first to bring a product to market," according to F-Secure's report. "The purpose of the malware, he said, was 'just to lock files ... nothing major.'"
Of course it's not clear if the agent was being truthful. Sean Sullivan, a security advisor at F-Secure, says in the report that he doubts the veracity of those claims. "It's probably a young gun, just trying to make a hundred bucks; 95 percent chance he's spinning a yarn," he says. "At any rate, he was very sympathetic - he was so helpful he got our reviewer feeling guilty for tricking him. So very likely he's a master at social engineering."
We interacted w/ multiple crypto-ransomware families to judge their "customer journeys". https://t.co/6mQm8XKyxT pic.twitter.com/Jc6FDZBt73
— Sean Sullivan (@5ean5ullivan) July 18, 2016
Raj Samani, Intel Security's CTO for Europe, the Middle East and Asia, tells me that it's impossible to authenticate the Jigsaw agent's claims. "We can only go with the information we have before us," he says. On the other hand, "cybercriminals are available for hire," he adds, and if the account is true, it wouldn't be the first time that an unscrupulous competitor hired hackers to sabotage a rival.